WordPress Maintenance: My Monthly Checklist

Short answer: Every WordPress site needs monthly maintenance. Not optional. WordPress core updates, plugin updates, security scans, backup verification, performance checks, and database cleanup. Skip this and you get hacked, slowed down, or broken — usually all three. Here is the exact checklist I run on client sites every month.

WordPress is software, and software requires maintenance. I have cleaned up hacked WooCommerce stores that had not been updated in eighteen months. I have debugged crashed sites where a plugin update broke compatibility with an outdated PHP version. Every one of these situations was preventable with basic monthly maintenance.

This checklist takes 30-60 minutes per site. The cost of not doing it is significantly higher — emergency fixes, lost sales from downtime, and security breaches that erode customer trust.

The Monthly Maintenance Checklist

1. Full Backup Before Anything Else

Never update anything without a verified backup.

• Run a full backup (files + database) via UpdraftPlus or your hosting's backup system
• Verify the backup completed successfully (check file size — a 0KB backup is not a backup)
• Confirm the backup is stored off-site (Google Drive, S3, or Dropbox — not just on the server)
• If using hosting backups only, download one copy locally

On Cloudways, I use the built-in backup system plus UpdraftPlus as a secondary. Two backup sources means if one fails, the other catches it.

Time: 5 minutes

2. Update WordPress Core

• Check if a WordPress core update is available (Dashboard → Updates)
• Read the release notes — check for breaking changes
• Update on staging first if the site is business-critical
• Update on production
• Spot-check the site: homepage loads, key pages work, forms submit, cart/checkout functions (for WooCommerce)

Important: Never update WordPress core on the same day as a major plugin update. If something breaks, you need to know which update caused it.

Time: 5 minutes

3. Update Plugins (One at a Time)

This is where most maintenance problems happen. Plugin updates can break sites.

• Review available plugin updates — read each changelog
• Update plugins one at a time, not all at once
• After each update, check the site for visual or functional issues
• Pay special attention to: WooCommerce updates, page builder updates, and SEO plugin updates — these touch the most critical site functions
• If an update breaks something, roll back to the previous version (most managed hosts have one-click rollback)

Order I update plugins:

1. Security plugins first (Wordfence) — security patches should not wait
2. Performance plugins (WP Rocket, Perfmatters)
3. SEO plugins (Rank Math)
4. Form plugins (WPForms, Gravity Forms)
5. WooCommerce + WooCommerce extensions (always together)
6. Everything else

For the ARSA Multisite platform, plugin updates require extra care — a plugin update on the network level affects every sub-site simultaneously. I test updates on a staging clone of the entire network before pushing to production.

Time: 10-15 minutes

4. Update Theme

• Check for theme update
• If using a child theme, verify child theme overrides are still compatible
• Update and visual-check key pages

Time: 3 minutes

5. Security Scan

• Run a full Wordfence scan (or your security plugin's scan)
• Review scan results — check for: modified core files, suspicious files, known vulnerabilities
• Check the firewall log for blocked attacks — note any unusual patterns
• Verify two-factor authentication is still active on all admin accounts
• Check user list — remove any accounts that should not exist
• Verify file permissions are correct (directories: 755, files: 644)

Red flags that need immediate attention:

• Modified core files that you did not change
• New admin users you did not create
• Files in /wp-content/uploads/ that are not images (PHP files in uploads = compromised)
• Sudden traffic spikes to odd URLs

Time: 5 minutes (unless issues found)

Monthly security scans catch vulnerabilities before they become problems

6. Performance Check

• Run Google PageSpeed Insights on homepage and one product/service page
• Compare scores to last month — any significant drops?
• Check TTFB — if it has increased, investigate hosting or database issues
• Verify WP Rocket cache is active and functioning
• Check CDN is serving assets correctly (if using Cloudflare or similar)

Performance regression causes I see most often:

• A plugin update added new frontend scripts
• An admin installed a new plugin without checking performance impact
• Database bloat from accumulated transients, revisions, or WooCommerce sessions
• Image uploads without optimization

If PageSpeed drops by more than 10 points month-over-month, investigate. Something changed.

Time: 5 minutes

7. Database Optimization

WordPress databases accumulate bloat every month. On WooCommerce stores, this is accelerated by order data, cart sessions, and transient caches.

• Delete post revisions (keep last 3-5 per post if you prefer)
• Clean expired transients
• Remove trashed posts/pages/products
• Delete spam comments permanently
• Clean WooCommerce sessions (expired carts)
• Optimize database tables (run OPTIMIZE TABLE)
• Clean Action Scheduler entries older than 30 days (WooCommerce)

WP Rocket handles most of this automatically if you enable the database optimization schedule. I set it to run weekly.

For manual optimization or deeper cleanup, I use WP-Optimize (free).

Time: 5 minutes (automated) or 10 minutes (manual)

8. Uptime and Error Check

• Check uptime monitoring (UptimeRobot or BetterUptime) — any downtime incidents this month?
• Review error logs (PHP errors, 404s, 500s)
• Check for broken links (especially after any URL changes)
• Verify SSL certificate is valid and not expiring soon

Time: 3 minutes

9. Content and SEO Quick Check

• Check Google Search Console for any manual actions or security issues
• Review crawl errors — new 404s? Redirect chain issues?
• Verify sitemap is accessible and up to date
• Check that Rank Math or your SEO plugin is functioning (no broken schema, no missing meta tags)

Time: 5 minutes

10. WooCommerce-Specific Checks (If Applicable)

For WooCommerce stores, add these to the monthly checklist:

• Test the full checkout flow (add to cart → checkout → payment → confirmation)
• Verify payment gateway is processing correctly (run a test transaction if possible)
• Check email notifications are sending (order confirmation, shipping notification)
• Review failed orders — any payment gateway issues?
• Verify inventory sync is accurate (if using external inventory management)
• Check shipping rates are calculating correctly
• Review cart abandonment rates — sudden changes suggest a UX issue

Time: 10 minutes

The Complete Checklist (Copy This)

MONTHLY WORDPRESS MAINTENANCE
==============================
Site: ____________________
Date: ____________________

[ ] 1. BACKUP
    [ ] Full backup (files + database)
    [ ] Verify backup completed (check file size)
    [ ] Confirm off-site storage

[ ] 2. WORDPRESS CORE UPDATE
    [ ] Read release notes
    [ ] Update (staging first if critical)
    [ ] Spot-check site

[ ] 3. PLUGIN UPDATES
    [ ] Update one at a time
    [ ] Check site after each update
    [ ] Note any issues

[ ] 4. THEME UPDATE
    [ ] Update theme
    [ ] Visual check

[ ] 5. SECURITY SCAN
    [ ] Full Wordfence scan
    [ ] Check firewall log
    [ ] Verify 2FA active
    [ ] Review user list
    [ ] Check file permissions

[ ] 6. PERFORMANCE CHECK
    [ ] PageSpeed Insights scores
    [ ] Compare to last month
    [ ] TTFB check
    [ ] Cache functioning

[ ] 7. DATABASE OPTIMIZATION
    [ ] Clean revisions
    [ ] Clean transients
    [ ] Delete spam/trash
    [ ] Optimize tables
    [ ] WooCommerce session cleanup

[ ] 8. UPTIME & ERRORS
    [ ] Uptime monitoring review
    [ ] Error log review
    [ ] SSL certificate check

[ ] 9. SEO CHECK
    [ ] Search Console issues
    [ ] Crawl errors
    [ ] Sitemap status

[ ] 10. WOOCOMMERCE (if applicable)
    [ ] Test checkout flow
    [ ] Payment gateway test
    [ ] Email notifications check
    [ ] Failed orders review

NOTES:
______________________________
______________________________
______________________________

What This Costs

DIY (business owner does it themselves):

• Time: 30-60 minutes per site per month
• Tools: WP Rocket ($59/yr), Wordfence Free, UpdraftPlus Free, UptimeRobot Free
• Total cost: ~$5/month in tools + your time
• Risk: Non-technical owners may miss security issues or cause problems with plugin updates

Developer maintenance retainer:

• Cost: $100-$500/month depending on site complexity and number of sites
• What you get: All of the above done by someone who knows what to look for, plus priority support when something breaks
• Best for: Businesses that cannot afford downtime and do not have technical staff

My recommendation:

If your WordPress site generates revenue — through ecommerce, lead generation, or client acquisition — invest in a maintenance retainer or at minimum, commit to running this checklist monthly. The cost of monthly maintenance is a fraction of the cost of recovering from a hack, a crashed site, or a month of slow performance silently killing your conversion rate.

---

More on my WordPress stack: Essential Plugins → | How to Fix Slow WordPress → | Best WordPress Hosting → | All Tools →